[A]ndroid [A]pplication [P]entest [G]uide
  • AAPG
  • 1. MANUAL STATIC ANALYSIS
    • 1.1 Decompile APK
    • 1.2 Check certificate
    • 1.3 Analyze AndroidManifest.xml
    • 1.4 Source Code Analysis
  • 2. AUTOMATED STATIC ANALYSIS
  • 3. MANUAL DYNAMIC ANALYSIS
    • 3.1 Install application & use it
    • 3.2 Bypass detections
    • 3.3 Analyze local storage
    • 3.4 Attack surface
      • 3.4.1 Activities
      • 3.4.2 ContentProvider
      • 3.4.3 Services
    • 3.5 Log analysis
    • 3.6 More HOW and WHAT! (still work in progress)
  • 4. APK TAMPERING
    • 4.1 DIY - Simple Reverse Meterpreter (Non-Xamarin)
    • 4.2 Quick Proof-of-Concept (Meterpreter)
Powered by GitBook
On this page
  • 1.4.1 SEARCH
  • Endpoints & URL-matching patterns
  • Files & their permissions
  • Database & realms
  • User
  • Logs
  • Content
  • Keystore
  • 1.4.2 OPEN SOURCE FILES
  • 1.4.3 INFO
  • 1.4.4 THINGS TO REPORT

Was this helpful?

  1. 1. MANUAL STATIC ANALYSIS

1.4 Source Code Analysis

1.4.1 SEARCH

Endpoints & URL-matching patterns

grep -Ei 'api' -Ei 'http' -Ei 'https' -Ei 'URI' -Ei 'URL' -R .
grep -Eio '(http|https)://[^/"]+' -Eio 'content://[^/"]+' -R .

Files & their permissions

grep -Ei 'MODE_WORLD_READABLE' -Ei 'MODE_WORLD_WRITEABLE' -R .
grep -Ei 'getCacheDir' -Ei 'getExternalCacheDirs' -R .
grep -Ei 'openFileOutput' -Ei 'FileOutputStream' -Ei 'OutputStream' -Ei 'getExternalFilesDir' -R .

Database & realms

grep -Ei 'localUserSecretStore' -Ei 'getWriteableDatabase' -Ei 'getReadableDatabase' -R .
grep -Ei 'realm' -Ei 'getDefaultInstance' -Ei 'beginTransaction' -Ei -R .
grep -Ei 'SQLiteDatabase' -Ei 'insert' -Ei 'query' -Ei 'delete' -Ei 'update' -R .

User

grep -Ei 'username' -Ei 'user' -Ei 'pass' -Ei 'passwd' -Ei 'userid' -Ei 'password' -R .
grep -Ei '.config' -Ei 'secret' -Ei 'token' -Ei 'login' -Ei 'auth' -R .

Logs

grep -Ei 'Log.v' -Ei 'Log.d' -Ei 'Log.i' -Ei 'Log.w' -Ei 'Log.e' -R .
grep -Ei 'log' -Ei 'logger' -Ei 'printStackTrace' -Ei 'System.out.print' -Ei 'System.err.print' -R .

Content

grep -Ei 'Cursor' -Ei 'content' -Ei 'ContentResolver' -Ei 'CONTENT_URI' -Ei 'Loader' -Ei 'onCreateLoader' -Ei 'LoaderManager' -Ei -R . 

Keystore

grep -Ei 'AndroidKeystore' -Ei 'KeyStore' -Ei 'crypto' -Ei 'cipher' -Ei 'store' -R .

1.4.2 OPEN SOURCE FILES

jd-gui app-dex2jar.jar
  • opens .jar/.java/.class files

  • or use an IDE of your choice (android studio or eclipse)

1.4.3 INFO

INTERESTING CLASSES

  • SharedPreferences (stores key-value pairs)

  • FileOutPutStream (uses internal or external storage)

INTERESTING FUNCTIONS

  • getExternal* (uses external storage)

  • getWriteableDatabase (returns SQLiteDB for writing)

  • getReadableDatabase (returns SQLiteDB for reading)

  • getCacheDir / getExternalCacheDirs (uses cached files)

1.4.4 THINGS TO REPORT

  • Cleartext credentials (includes base64 encoded or weak encrypted ones)

  • Credentials cracked (brute-force, guessing, decrypted with stored cryptographic-key, a.s.o...)

  • File permission MODE_WORLD_READABLE / MODE_WORLD_WRITEABLE (other apps/users are able to read/write)

  • If http is in use (no SSL)

  • Anything that shouldn't be there (debug info, comments with info disclosure, ...)

Previous1.3 Analyze AndroidManifest.xmlNext2. AUTOMATED STATIC ANALYSIS

Last updated 5 years ago

Was this helpful?